Vital--CryptoWall 2.0 Ransomware Worm

Posts related to Medisoft Clinical go here. You should consult with your Medisoft Clinical VAR if you are unsure about any configuration changes suggested here.
Post Reply
User avatar
Gavin Walker
Posts: 4625
Joined: Wed Apr 04, 2007 10:11 pm
Location: Springfield, MO
Contact:

Vital--CryptoWall 2.0 Ransomware Worm

Post by Gavin Walker » Thu Oct 30, 2014 12:17 pm

MedTech has become aware of a Ransomware worm that has the possibility to affect insecure systems. It is our objective to help ensure that you are completely aware of this worm, its effect, and methods you can use to help ensure your system is safe.

Problem: CryptoWall 2.0 has been classified as a Ransomware worm known to encrypt user system files, including those in the PPART application directory altering Practice Partner functionality, which may threaten system stability and possibly patient files. CryptoWall v2.0 also erases the original file by secure removal to stop the files from being repaired with file rescue software, and it tries to remove Windows Shadow Volume copies to stop files from being repaired.

Effect: Important files in PPART are encrypted with RSA2048 encryption – decryption is not likely with present tools. You will see numerous files inside PPART called DECRYPT_INSTRUCTION.TXT and/or DECRYPT_INSTRUCTION.HTML. These files will offer you a URL and payment directions to be provided the decryption key to retrieve the encrypted files. CryptoWall is known to pursue vulnerable .dat files, and has been known to encrypt html and text files as well.

Threat Mitigation:
1. Do not download PDF message attachments from unidentified sources. The greatest distribution route is an executable camouflaged as a PDF in a zipped message attachment.
2. Confirm that your anti-virus solution is up to date.
3. Run frequently scheduled anti-virus checks on both the server and workstations.
4. Include the Practice Partner® application directory (PPART) and the client directory (C:\Program Files (x86)\McKesson\Practice Partner) in scheduled checks.
5. Use Windows Group or Local Policy editor to make software restraint rules to stop executables from running in particular places – CryptoWall’s executables regularly run from:
  • C:\<random>\<random>.exe
    C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
    C:\Documents and Settings\<User>\Application Data\<random>.exe (XP)
    C:\Documents and Settings\<User>\Local Application Data\<random>.exe (XP)
    %Temp%

6. Additional info on setting up Software Restriction rules is available from: Should you encounter this worm on your system(s), we advocate that you consider the subsequent actions with your counsel as in certain situations payment of the demand may breach some Federal laws.
Gavin Walker
Walker Tek Solutions, LLC
417-890-6777 x0
fax: 417-763-6386

Post Reply